Play ransomware exploited Windows zero-day.
The ransomware threat is far from over, despite the internal private communications of some of the cybercriminal gangs being leaked, snitches being offered big bucks for information on gang members, and the childishness of DOGE-trolling attackers demanding $1 trillion payments. If you want evidence of this, look no further than a recent report confirming a 5,365 ransomware rampage. Now it has been revealed that the Play ransomware malware has been used by cybercrime groups exploiting a Windows zero-day vulnerability in attacks across multiple countries, including the U.S., although not all were successful. Here’s what you need to know.
Windows Common Log File System Zero-Day Exploited In Play Ransomware Attacks
A joint investigation by the Microsoft Threat Intelligence Center and Microsoft Security Response Center found that a zero-day vulnerability in the Windows Common Log File System had been exploited by Play ransomware attackers, before the elevation of privilege issue was fixed by the April Patch Tuesday security update. Targets included real estate and information technology organizations in the U.S., the retail sector in Saudi Arabia, and software in Spain. Now, the Symantec Threat Hunter Team has published an in-depth technological exploration of another, unsuccesful this time, Play ransomware attack exploiting the same CVE-2025-29824 zero-days against an as yet unnamed U.S. company.
The Microsoft threat report confirmed that the original attacks had been facilitated by the use of the PipeMagic malware backdoor and attributed them to a threat actor identified as Storm-2460, although no further information has been provided regarding this group. The Symantec Threat Hunter report, meanwhile, has attributed the latest attacks to a cybercrime group identified as Balloonfly, which is linked to multiple incidents involving Play ransomware deployed against businesses in North America, South America and Europe.
“While the use of zero-day vulnerabilities by ransomware actors is rare,” Symantec said, “it is not unprecedented.” The good news is that the Ballonfly attack, Symantec said, occurred before the Windows patch was released. So, at the risk of stating the obvious, patch management is the best mitigation against falling victim to the Play ransomware menace. At least, that is, as far as this exploit route is concerned. CVE-2025-29824, is a use-after-free memory vulnerability in the Windows Common Log File System driver that can allow an unauthorized attacker to elevate their system privileges locally.